Microsoft Cloud Authors: Janakiram MSV, Yeshim Deniz, David H Deans, Andreas Grabner, Stackify Blog

Related Topics: Microsoft Cloud, Microservices Expo, Containers Expo Blog, Cloud Security

Microsoft Cloud: Tutorial

RDP Exploitation Using Cain

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”

The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Windows-based applications running on a server.  RDP is designed to support different types of network topologies and multiple LAN protocols.  Remote Desktop Services formerly know as Terminal Services on Windows 2000 Server allow a server to host multiple, simultaneous client sessions.  Remote Desktop uses Remote Desktop Services technology to allow a single session to run remotely.  Thus a user can connect to a Remote Desktop Session Host server by using Remote Desktop Connection (RDC) client software.

Cain has the ability to do a man in the middle attack against the RDP “Remote Desktop Protocol”.  Cain is compiled using Microsoft Visual C++ and linked as a single executable file named “Cain.exe”.  Developed with a simple Windows graphical user interface, its main purpose is to concentrate several hacking techniques and proof of concepts providing a simplified tool focused on the recovery of passwords and authentication credentials from various sources.

Windows 2008 R2 has added some remote desktop services to its server such as RemoteApp, RD gateway, and RD Visualization Host.  The windows server role now provides increased flexibility to deploy individual applications or full desktops via RDS or a VDI solution.  The following is a list of Windows 2008 R2 individual applications that are available to users over the Remote Desktop Protocol (RDP).

  1. Remote Desktop Virtualization
  2. Remote Desktop IP Virtualization
  3. RDP & Remote Desktop Connection version 7.0
  4. Fair Share CPU scheduling
  5. Windows Installer compatibility
  6. True multiple monitor support for up to 16 monitors
  7. RDS Provider for PowerShell

With these new improvements the door is open for potential security issues depending on how you deploy RDS.  So RDS included a number of security mechanisms to help make RD connections more secure such as Network Level Authentication (NLA), Transport Layer Security (TLS), Group Policy, RD Web Access, and RD Gateway. 

NLA requires that the user be authenticated to the RD Session Host server before a session is created.  This helps protect the remote computer from malicious users and malware.  The client computer must be at Windows XP service pack 3 or above to use NLA.  Transport Layer Security (TLS) can use one of three security layers for protecting communications between the client and the RDS Session Host server:

  • RDP security layer – uses native RDP encryption and is least secure
  • Negotiate – TLS 1.0 (SSL) encryption used if the client supports it
  • SSL – TLS 1.0 encryption will be used for server authentication and encryption of data sent between the client and Session Host server.  This is the most secure.  You will need a digital certificate, which can be issued by a CA or self-signed.

This security can be all for not with some lax controls and an effective formidable foe using Cain on your network segment.  Cain runs on windows machines (Windows 9x & Windows NT/2000/XP) below is a screenshot of the interface. (see figure #1)

In this tutorial I have Cain running on a Windows XP machine and placed in the same network segment as a Windows 7 machine that is communicating with a Windows 2008 R2 server.  Below is a list of the IP address assignments.

Figure 1: Cain screenshot

Windows 7                
Windows XP (Attacker)
Windows 2008 R2   

When you fire up Cain you will be given a gui interface with a list of decoders, network, sniffer, cracker, traceroute, CCDU, wireless, and query tabulated across the top.  The first thing you want to do is select you interface by clicking on the sniffer icon at the top.  If you have more than one interface then you need to select the appropriate interface for your work.  This will start the sniffer and allow you to see what devices are available on the network segment (see Figure #2). 

Next you can select what devices you would like to sniff traffic to and from (see Figure #3).  Now you are ready to arp poison the network segment between your Windows 7 and Windows 2008 R2 Server by clicking on the radioactive button you will notice the status will change from idle to poisoning (see Figure #4).

Figure 2: Devices available on network segment

Now that the attack is set we need to go to our Windows 7 client and RDP into our Windows 2008 R2 server.  Now if you are doing this on a recent installation of Windows 2008 R2 server than you will have no problems within the first 120 days.  After that the grace period is over and a license server needs to be installed and activated.  But if your company is like most that I have worked for then money is tight and if there is a way found to get around purchasing a license all the better.  A Client Access License (CAL) is required for each client requiring access to Windows Server 2008 Terminal Services.  Once installed you can utilize the features I listed above to secure your RDP sessions.  But if your like most organizations you can always find a way around this license requirement.

Figure 3: Select devices you want to sniff traffic to and from

When you try connecting to the Windows 2008 R2 Server after the 120 day grace period via RDP you will get this error message if you don't have your Client Access License setup and configured (see Figure #5).

Figure 4: Status change from idle to poisoning

Figure 5: Error message

The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license.  Please contract the server administrator.  Now when the client in this case the Windows 7 machine – connects to an RD Session Host server it determines if an RDS CAL is needed.  The server then request an RDS CAL from a Remote Desktop license server on behalf of the client (Windows 7) and issued to the client and able to connect to the RD Session Host server (Windows 2008 R2).  But windows allows for 2 RDP sessions to the host machine even without the license server.  Network Administrators who do maintenance on servers (ie check status, run updates, etc) can RDP in  with the admin command like so: mstsc /v: IP_or_hostname /admin

Make sure there is a space after the IP address and before the /admin.  Many Network Administrators using this function disregard the identity of the remote computer warning message and connect anyway. (see Figure #6)

Figure 6: mstsc command and RDP warning message

Now we can connect from our Windows 7 client to our Windows 2008 R2 Server using RDP (see Figure # 7).

Figure 7: RDP login screen

Once we are provide the login information and password we are given access to our Windows 2008 R2 Server (see Figure #8).  Now lets go back and see what information Cain has saved for us running on our attack machine Windows XP (see Figure #9)

Figure 8:  Administrator Desktop of Windows 2008 Server R2

Figure 9: Files saved in ARP RDP (2)

This file that is saved pulls out keystrokes from the decrypted log file made by Cain and you can do this by hand or you can get the script by Adrian Crenshaw owner of irongeek.com.  The script is written in AutoIt v3 and works quite well.  Here is a screenshot of the parsed file run through Adrian's script (see Figure #10).

Figure 10: log parsed with Adrian's script

References on the Web:


Let pbnetworks get your pen test on target

Visit us and learn how http://pbnetworks.net
How secure is your network?

More Stories By David Dodd

David J. Dodd is currently in the United States and holds a current 'Top Secret' DoD Clearance and is available for consulting on various Information Assurance projects. A former U.S. Marine with Avionics background in Electronic Countermeasures Systems. David has given talks at the San Diego Regional Security Conference and SDISSA, is a member of InfraGard, and contributes to Secure our eCity http://securingourecity.org. He works for Xerox as Information Security Officer City of San Diego & pbnetworks Inc. http://pbnetworks.net a Service Disabled Veteran Owned Small Business (SDVOSB) located in San Diego, CA and can be contacted by emailing: dave at pbnetworks.net.

@ThingsExpo Stories
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...